rk295/sg-tool

## sg-tool
#!/usr/bin/env bash
#
# Simple script to list resources that are using a specified Security Group.
#
# Accepts only one command line argument, which is the ID of the SecurityGroup
# to check for.
#
# Currently supports these resources:
#
# * EC2 Instances
# * EC2 LoadBalancers
# * RDS DB Instances
# * Directory Instances
#
# Output is one resource per line in the format of:
#
# NameOfResourceType=ResourceIdentifier
#
# Example:
#
#   ./sg-tool sg-0f9ff74829dd331cd
#   InstanceId=i-074c0dab3891a1283
#   InstanceId=i-0e2ce6229560ba68b
#   LoadBalancerName=test-elb
#   DBInstanceIdentifier=test-rds-instance
#   DirectoryName=test.ad.example.com
#
# Requires AWS CLI installed and working (uses current profile) and jq.
#
set -euo pipefail
IFS=$'\n\t'

securityGroupId="${1:-}"

if [[ -z "$securityGroupId" ]]; then
    echo "Please provide ther security group id as the first argument"
    exit 1
fi

if [[ "${securityGroupId#sg-*}" = "$securityGroupId" ]]; then
    echo "That doesn't look like a valid security group id. (Expected format sg-......)"
    exit 1
fi

shift
awsExtraArgs=( "$@" )
# Push this in, just incase the user selects a profile which has
# text or table as the default output
awsExtraArgs+=("--output" "json")

#
# Cheekily lifted from here https://github.com/bpm-rocks/array/blob/master/libarray#L8-L44
#
array::contains() {
    local check needle

    needle=$1
    shift 1

    for check in "$@"; do
        if [[ "$needle" == "$check" ]]; then
            return 0
        fi
    done

    return 1
}

# Lists all DBInstanceIdentifiers
#
# Takes no arguments
#
# Returns a list of all Load Balancer names
function list_db_instances {
    aws rds describe-db-instances ${awsExtraArgs[@]} | jq -r '.DBInstances[].DBInstanceIdentifier'
}

# List all Security Groups in use by a specific DB instance
#
# $1 - The DBInstanceIdentifier to check
#
# Returns a list of all Security Groups in use by the DB Instance
function list_db_sg {
    local DBName
    DBName="$1"

    aws rds describe-db-instances --db-instance-identifier "$DBName" ${awsExtraArgs[@]} | jq -r '.DBInstances[].VpcSecurityGroups[] | select( .Status == "active") | .VpcSecurityGroupId'
}

# List DB Instances using a specific Security Group
#
# $1 - DBInstanceIdentifier to check for
#
# Returns a list of all DB Instances with the specified Security Group attached
function list_db_using_sg {
    local sgId
    sgId="$1"

    while read -r lb; do
        mapfile -t sgList < <(list_db_sg "$lb")
        array::contains "$sgId" "${sgList[@]}" && echo "$lb"
    done < <(list_db_instances)

}

# List Directories using the specific Security Group
#
# $1 - SecurityGroupID to check for
#
# Returns a list of names of Directories using the specified Security Group
function list_directories {
    local sgId
    sgId="$1"

    aws ds describe-directories ${awsExtraArgs[@]} | jq -r '.DirectoryDescriptions[] | select(.VpcSettings.SecurityGroupId == "'"$sgId"'") | .Name'
}
# Lists the instanceIds that are using the specified security group
#
# $1 - The SecurityGroupId to check for.
#
# Returns a list of InstanceId's that are using the SecurityGroup
function list_instances {
    local sgId
    sgId="$1"
    aws ec2 describe-network-interfaces --filters Name=group-id,Values="$sgId" ${awsExtraArgs[@]} | jq -r '.NetworkInterfaces[].Attachment | select( .InstanceId != null) | .InstanceId'
}

# Lists all Load Balancer names
#
# Takes no arguments
#
# Returns a list of all Load Balancer names
function list_lb {

    aws elb describe-load-balancers ${awsExtraArgs[@]} | jq -r '.LoadBalancerDescriptions[].LoadBalancerName'
}


# Lists all Security Groups in use by a specific Load Balancer
#
# $1 - The name of the Load Balancer to check
#
# Returns a list of all Security Groups attached to the Load Balancer
function list_lb_sg {
    local lbName
    lbName="${1:-}"

    aws elb describe-load-balancers --load-balancer-names "$lbName" ${awsExtraArgs[@]} | jq -r '.LoadBalancerDescriptions[].SecurityGroups[]'
}

# List Load Balancers using a specific Security Group
#
# $1 - Security Group Id to check for
#
# Returns a list of all Load Balancers with the specified Security Group attached
function list_lb_using_sg {
    local sgId
    sgId="$1"

    while read -r lb; do
        mapfile -t sgList < <(list_lb_sg "$lb")
        array::contains "$sgId" "${sgList[@]}" && echo "$lb"
    done < <(list_lb)

}

function main {
    local dbList iList lbList sgId
    sgId="$1"

    mapfile -t iList < <(list_instances "$sgId")
    mapfile -t lbList < <(list_lb_using_sg "$sgId")
    mapfile -t dbList < <(list_db_using_sg "$sgId")
    mapfile -t dirList < <(list_directories "$sgId")

    [[ "${#iList[@]}" -gt 0 ]] && printf 'InstanceId=%s\n' "${iList[@]}"
    [[ "${#lbList[@]}" -gt 0 ]] && printf 'LoadBalancerName=%s\n' "${lbList[@]}"
    [[ "${#dbList[@]}" -gt 0 ]] && printf 'DBInstanceIdentifier=%s\n' "${dbList[@]}"
    [[ "${#dirList[@]}" -gt 0 ]] && printf 'DirectoryName=%s\n' "${dirList[@]}"

    exit 0
}

main "$securityGroupId"
	#!/usr/bin/env bash
	#
	# Simple script to list resources that are using a specified Security Group.
	#
	# Accepts only one command line argument, which is the ID of the SecurityGroup
	# to check for.
	#
	# Currently supports these resources:
	#
	# * EC2 Instances
	# * EC2 LoadBalancers
	# * RDS DB Instances
	# * Directory Instances
	#
	# Output is one resource per line in the format of:
	#
	# NameOfResourceType=ResourceIdentifier
	#
	# Example:
	#
	# ./sg-tool sg-0f9ff74829dd331cd
	# InstanceId=i-074c0dab3891a1283
	# InstanceId=i-0e2ce6229560ba68b
	# LoadBalancerName=test-elb
	# DBInstanceIdentifier=test-rds-instance
	# DirectoryName=test.ad.example.com
	#
	# Requires AWS CLI installed and working (uses current profile) and jq.
	#
	set -euo pipefail
	IFS=$'\n\t'

	securityGroupId="${1:-}"

	if [[ -z "$securityGroupId" ]]; then
	echo "Please provide ther security group id as the first argument"
	exit 1
	fi

	if [[ "${securityGroupId#sg-*}" = "$securityGroupId" ]]; then
	echo "That doesn't look like a valid security group id. (Expected format sg-......)"
	exit 1
	fi

	shift
	awsExtraArgs=( "$@" )
	# Push this in, just incase the user selects a profile which has
	# text or table as the default output
	awsExtraArgs+=("--output" "json")

	#
	# Cheekily lifted from here https://github.com/bpm-rocks/array/blob/master/libarray#L8-L44
	#
	array::contains() {
	local check needle

	needle=$1
	shift 1

	for check in "$@"; do
	if [[ "$needle" == "$check" ]]; then
	return 0
	fi
	done

	return 1
	}

	# Lists all DBInstanceIdentifiers
	#
	# Takes no arguments
	#
	# Returns a list of all Load Balancer names
	function list_db_instances {
	aws rds describe-db-instances ${awsExtraArgs[@]} \| jq -r '.DBInstances[].DBInstanceIdentifier'
	}

	# List all Security Groups in use by a specific DB instance
	#
	# $1 - The DBInstanceIdentifier to check
	#
	# Returns a list of all Security Groups in use by the DB Instance
	function list_db_sg {
	local DBName
	DBName="$1"

	aws rds describe-db-instances --db-instance-identifier "$DBName" ${awsExtraArgs[@]} \| jq -r '.DBInstances[].VpcSecurityGroups[] \| select( .Status == "active") \| .VpcSecurityGroupId'
	}

	# List DB Instances using a specific Security Group
	#
	# $1 - DBInstanceIdentifier to check for
	#
	# Returns a list of all DB Instances with the specified Security Group attached
	function list_db_using_sg {
	local sgId
	sgId="$1"

	while read -r lb; do
	mapfile -t sgList < <(list_db_sg "$lb")
	array::contains "$sgId" "${sgList[@]}" && echo "$lb"
	done < <(list_db_instances)

	}

	# List Directories using the specific Security Group
	#
	# $1 - SecurityGroupID to check for
	#
	# Returns a list of names of Directories using the specified Security Group
	function list_directories {
	local sgId
	sgId="$1"

	aws ds describe-directories ${awsExtraArgs[@]} \| jq -r '.DirectoryDescriptions[] \| select(.VpcSettings.SecurityGroupId == "'"$sgId"'") \| .Name'
	}
	# Lists the instanceIds that are using the specified security group
	#
	# $1 - The SecurityGroupId to check for.
	#
	# Returns a list of InstanceId's that are using the SecurityGroup
	function list_instances {
	local sgId
	sgId="$1"
	aws ec2 describe-network-interfaces --filters Name=group-id,Values="$sgId" ${awsExtraArgs[@]} \| jq -r '.NetworkInterfaces[].Attachment \| select( .InstanceId != null) \| .InstanceId'
	}

	# Lists all Load Balancer names
	#
	# Takes no arguments
	#
	# Returns a list of all Load Balancer names
	function list_lb {

	aws elb describe-load-balancers ${awsExtraArgs[@]} \| jq -r '.LoadBalancerDescriptions[].LoadBalancerName'
	}


	# Lists all Security Groups in use by a specific Load Balancer
	#
	# $1 - The name of the Load Balancer to check
	#
	# Returns a list of all Security Groups attached to the Load Balancer
	function list_lb_sg {
	local lbName
	lbName="${1:-}"

	aws elb describe-load-balancers --load-balancer-names "$lbName" ${awsExtraArgs[@]} \| jq -r '.LoadBalancerDescriptions[].SecurityGroups[]'
	}

	# List Load Balancers using a specific Security Group
	#
	# $1 - Security Group Id to check for
	#
	# Returns a list of all Load Balancers with the specified Security Group attached
	function list_lb_using_sg {
	local sgId
	sgId="$1"

	while read -r lb; do
	mapfile -t sgList < <(list_lb_sg "$lb")
	array::contains "$sgId" "${sgList[@]}" && echo "$lb"
	done < <(list_lb)

	}

	function main {
	local dbList iList lbList sgId
	sgId="$1"

	mapfile -t iList < <(list_instances "$sgId")
	mapfile -t lbList < <(list_lb_using_sg "$sgId")
	mapfile -t dbList < <(list_db_using_sg "$sgId")
	mapfile -t dirList < <(list_directories "$sgId")

	[[ "${#iList[@]}" -gt 0 ]] && printf 'InstanceId=%s\n' "${iList[@]}"
	[[ "${#lbList[@]}" -gt 0 ]] && printf 'LoadBalancerName=%s\n' "${lbList[@]}"
	[[ "${#dbList[@]}" -gt 0 ]] && printf 'DBInstanceIdentifier=%s\n' "${dbList[@]}"
	[[ "${#dirList[@]}" -gt 0 ]] && printf 'DirectoryName=%s\n' "${dirList[@]}"

	exit 0
	}

	main "$securityGroupId"